Superselection rules and quantum protocols 
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We show that superselection rules do not enhance the information-theoretic security of quantum 
cryptographic protocols. Our analysis employs two quite different methods. The first method uses 
the concept of a reference system — in a world subject to a superselection rule, unrestricted oper- 
ations can be simulated by parties who share access to a reference system with suitable properties. 
By this method, we prove that if an n-party protocol is secure in a world subject to a superselection 
rule, then the security is maintained even if the superselection rule is relaxed. However, the proof 
applies only to a limited class of superselection rules, those in which the superselection sectors are 
labeled by unitary irreducible representations of a compact symmetry group. The second method 
uses the concept of the format of a message sent between parties — by verifying the format, the 
recipient of a message can check whether the message could have been sent by a party who per- 
formed charge-conserving operations. By this method, we prove that protocols subject to general 
superselection rules (including those pertaining to nonabelian anyons in two dimensions) are no 
more secure than protocols in the unrestricted world. However, the proof applies only to two-party 
protocols. Our results show in particular that, if no assumptions are made about the computational 
power of the cheater, then secure quantum bit commitment and strong quantum coin flipping with 
arbitrarily small bias are impossible in a world subject to superselection rules. 

PACS numbers: 03.67.Dd 



I. INTRODUCTION 

The central aim of modern cryptography is to for- 
mulate protocols that achieve cryptographic tasks with 
computational security, meaning that a dishonest party 
would need to perform a prohibitively difficult compu- 
tation to break the protocol. A major goal of quan- 
tum cryptography is to formulate protocols, involving the 
exchange of quantum states, that achieve information- 
theoretic security, meaning that even an adversary with 
unlimited computational power would be unable to de- 
feat the protocol 1]. Information-theoretic security 
(sometimes called "unconditional security" ) has been es- 
tablished for quantum key distribution protocols 0, 0, 
QL HI IE but it has also been shown that, even in the 
quantum world, information-theoretic security is not at- 
tainable for certain tasks. For example, unconditionally 
secure quantum bit commitment is impossible || || , as 
is (stron g) q uantum coin flipping with arbitrarily small 
bias [lOLUlj. 

Superselection rules are limitations on the physically 
realizable quantum operations that can be carried out 
by a local agent. For example, it is impossible to create 
or destroy an isolated particle that carries locally con- 
served charges, such as an electrically charged particle, 
a fermion, or (in a two-dimensional medium) an anyon. 
Recently, Popescu has suggested that superselection 
rules might have interesting implications for the security 
of quantum cryptographic protocols. The intuitive idea 
behind this suggestion is that superselection rules could 
place inviolable limits on the cheating strategies available 
to the dishonest parties, thus enhancing security. Might, 
say, unconditionally secure bit commitment be possible 
in worlds (perhaps including the physical world that we 



inhabit) governed by suitable superselection rules? An 
affirmative answer could shake the foundations of cryp- 
tography. 

The purpose of this paper is to answer Popescu's in- 
triguing question. Sadly, our conclusion is that superse- 
lection rules can never foil a cheater who has unlimited 
quantum-computational power. 

In the case of quantum bit commitment, and other 
two-party protocols, our argument hinges on a quite sim- 
ple observation. In a two-party protocol, one participant 
(Alice) has control of a local system A, and the other 
participant (Bob) has control of another local system B. 
In addition, there is a message system M that they pass 
back and forth. In each step of the protocol, one party 
performs a joint quantum operation on her/his local sys- 
tem and the message system, and then sends the message 
system to the other party. Suppose that in each step, any 
part of the full system ABM that is beyond Alice's con- 
trol is under Bob's control and vice-versa — no part of 
the full system is inaccessible or in the possession of a 
third party. Suppose further that the full system ABM 
has trivial total charge (belongs to the trivial superse- 
lection sector). Then at any stage of the protocol, the 
algebra of operations that Alice can perform is the corn- 
mutant of the algebra of operations that Bob can per- 
form; that is, Alice's algebra contains all operations that 
commute with Bob's algebra. Likewise, Bob's algebra is 
the commutant of Alice's. By a minor extension of the 
standard argument, it then follows that unconditionally 
secure quantum bit commitment is impossible i/the total 
charge shared by the parties is trivial. 

Now, if the total charge in nontrivial, then Alice's al- 
gebra is surely a subalgebra of the commutant of Bob's, 
but it may be a proper subalgebra; similarly, Bob's alge- 
bra may be a proper subalgebra of Alice's. This unusual 
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property of the local operations seems to open new possi- 
bilities for the design of quantum protocols. Regrettably, 
though, there is no way for an honest party to ensure 
that the total charge is really nontrivial, when the other 
party is dishonest. Though the honest protocol may call 
for the parties to start out with nontrivial charges, we 
may always imagine that there are actually compensat- 
ing charges beyond the grasp of Alice and Bob, so that 
the total charge of the world is really trivial. Further- 
more, a cheater might seize control of the compensating 
charge, while for an honest party it makes no difference 
whether the compensating charge is present or not. It 
follows that a protocol that calls for the total charge to 
be nontrivial can be no more secure than one in which 
the total charge is actually trivial; we conclude again 
that unconditionally secure quantum bit commitment is 
impossible, irrespective of the value of the total charge 
shared by the parties in the honest protocol. 

Aside from quantum bit commitment, we will 
also study the impact of superselection rules on the 
information-theoretic security of a broad class of other 
quantum protocols, using two different methods. We an- 
alyze in detail the important special case where the su- 
perselection sectors can be identified with the unitary ir- 
reducible representations of a compact symmetry group. 
In that case, we argue that it is possible in principle to 
prepare a reference state that establishes a preferred ori- 
entation in the symmetry group. A party with access to 
the reference state can use it to perform operations that 
are ostensibly forbidden by the superselection rule. In 
particular, consider an n-party quantum protocol where 
up to k < n of the parties are dishonest, and suppose 
that in a world with no superselection rules the dishonest 
parties have a cheating strategy that breaks the protocol. 
Then, even in a world with superselection rules, the dis- 
honest parties, by sharing a suitable reference state, can 
simulate this cheating strategy faithfully. We conclude 
that if a quantum protocol is information-thcoretically 
secure in a world with a superselection rule, the security 
will be maintained even if the superselection rule is re- 
laxed, at least in the case where the superselection rule 
arises from a compact symmetry group. 

Superselection rules arising from compact symmetry 
groups are not the most general possible ones. In partic- 
ular, an especially rich variety of superselection rules are 
potentially realizable in two-dimensional systems such as 
those that admit nonabelian anyons. However even su- 
perselection rules of this more general kind cannot foil 
a cheater. We find that for any two-party protocol that 
is secure in a world subject to a superselection rule, the 
security is maintained when the superselection rule is re- 
laxed. 

Our analysis of these more general superselection rules 
does not rely on the concept of a reference system; rather 
it is founded on a completely different idea, the concept 
of the format of a message. A superselection rule can 
always be characterized by saying that there are charges 
that must be conserved by all local operations, and when 



we relax the superselection rule, in effect we are permit- 
ting a cheater to violate these conservation laws. For the 
purpose of assessing the security of a two-party protocol, 
we are interested in how the actions of the cheating party 
(Alice) affect the outcomes of measurements performed 
by the honest party (Bob). Potentially, if Alice is granted 
the power to violate conservation of "charge," her ability 
to influence Bob's measurements will be strengthened. 

However, if the total charge shared by Alice and Bob 
is trivial (as we are entitled to assume in an analysis of 
security) , then if charge is conserved, Alice and Bob hold 
conjugate charges at each stage of the protocol. There- 
fore, Bob always knows what charge Alice is supposed 
to have, which constrains the type of message that Alice 
can send to Bob if she is honest. When Bob receives a 
message he can verify its format, checking whether the 
message could have been sent by a party who performed 
a charge-conserving operation, and he can abort the pro- 
tocol if the verification fails. Therefore, if the protocol 
ends normally, Alice has been forced to respect charge 
conservation — her power to flout the superselection rule 
does not enhance her ability to fool Bob. This reasoning 
shows that superselection rules cannot thwart cheating, 
but because the argument relies on the property that Al- 
ice and Bob hold perfectly correlated charges, it works 
only for two-party protocols. 

For cryptographic protocols with more than two par- 
ties, and for general superselection rules, new subtleties 
arise. In two spatial dimensions, general charges are not 
merely locally conserved, they may also have nontrivial 
braiding properties — the exchange of two charges may 
induce a nontrivial transformation on their joint Hilbert 
space. This means that the effect of sending a message 
from one party to another can depend on the path along 
which the message travels. It is an interesting problem to 
specify appropriate definitions of security for protocols in 
this setting, but we will not attempt to address this issue 
here. For the special case of charges labeled by unitary 
representations of compact groups, the braiding prop- 
erties are trivial; therefore in that case we can analyze 
multiparty protocols without confronting such questions. 

Verstraete and Cirac recently discussed a data- 
hiding protocol whose security is premised on a super- 
selection rule. However, as the authors recognized, the 
protocol is not unconditionally secure; it can be broken if 
the parties establish a suitable shared reference state via 
quantum communication. The notion that the naive im- 
plications of a superselection rule can be evaded through 
the use of a suitable reference system was emphasized 
long ago by Aharonov and Susskind [l4(; see Qj| for a 
recent discussion. A special case of our main result was 
reported earlier in 

The rest of this paper is organized as follows: We de- 
velop the concept of a reference system in Sec. [HI first for 
abelian, then for nonabelian symmetries, and we explain 
how a reference system can be used to simulate unre- 
stricted operations in a world subject to superselection 
rules arising from a symmetry group; this observation is 
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applied in Sec. lIIII to the analysis of the security of quan- 
tum protocols. In Sec. UVI we explore the distinction be- 
tween an itinerant reference system that is passed from 
party to party as needed during a protocol, and a dis- 
tributed reference system that can be prepared and passed 
out to the parties before the protocol begins. Superselec- 
tion rules arising from nonabelian symmetries are further 
characterized in Sec. and we comment in Sec. IVII on 
the data-hiding protocol of Verstraete and Cirac. Our 
analysis of the impact of superselection rules on the se- 
curity of quantum bit commitment is in we also 
show there that for the analysis of security of an n-party 
protocol, it suffices to consider the case in which the total 
charge held by the parties is trivial. Two-party protocols 
subject to general superselection rules are investigated 
in Sec. I Villi and Sec. IIXI contains some concluding com- 
ments. 



II. SUPERSELECTION RULES AND 
REFERENCE SYSTEMS 

A superselection rule is a decomposition of Hilbcrt 
space into sectors that are preserved by local operations. 
The different sectors can be distinguished by attaching 
to each sector a label, which we refer to as the sector's 
"charge." Therefore, an equivalent way to characterize 
a superselection rule is to say that the charge is locally 
conserved. In the context of a cryptographic protocol, 
this means that when one of the parties (Alice, say) per- 
forms an operation, the charge in Alice's laboratory is 
preserved. 

An important special case arises if the Hilbert space 
7i transforms as a unitary representation of a compact 
group G, and the sectors are labeled by the irreducible 
representations of G. An equivalent way to describe the 
superselection rule in that case is to say that the allowed 
operations must commute with the action of G on Ti.. 
In fact, it has been shown by Doplicher and Roberts 01 
that such superselection rules are almost the most general 
ones allowed under rather weak conditions that apply in 
particular to quantum field theories (without gravity) in 
three or more spatial dimensions. We say "almost" be- 
cause there is an additional freedom to assign to a local- 
ized state an even or odd fermion number. This fermion 
number is more than just a conserved charge, because of 
the property that the wave function changes sign when 
two fcrmions are exchanged. 

In two spatial dimensions, there is a richer classifica- 
tion of superselection rules, reflecting the exotic quantum 
numbers carried by pointlike nonabelian anyons that oc- 
cur in topological quantum field theories |18L Il9l |2C| . We 
will postpone further discussion of nonabelian anyons un- 
til Sec. lVIlil concentrating for now on the superselection 
rules associated with compact symmetry groups (and ig- 
noring fermions). 

An important example is the group U(l) associated 
with conservation of the electric charge Q. An agent act- 



ing locally can create or annihilate pairs of particles that 
carry equal and opposite charges, but cannot change the 
total charge in her vicinity. In particular, this agent is 
unable to transform any eigenstate of Q into a coherent 
superposition of states with different charges, as empha- 
sized by Wick, Wightman, and Wigner |2ll |22| . 

While we might readily accept that local creation of 
electric charge is physically impossible, other conserva- 
tion laws impose superselection rules that do more vio- 
lence to our intuition. Suppose, for example (in nonrela- 
tivistic quantum mechanics), that our agent's actions are 
required to conserve the angular momentum J locally. 
Are we to conclude that if the agent is presented with a 
spin-1/2 object polarized spin-up along the z axis, it is 
impossible for him to transform it to a coherent superpo- 
sition of the spin-up and spin-down states? How are we 
to describe what happens when a magnetic field is turned 
on pointing in the x direction and the spin begins to pre- 
cess? A partial resolution of this puzzle is attained by 
noting that the angular momentum of a classical magnet 
has an uncertainty large compared to H, so that conserva- 
tion of angular momentum need not prevent the magnet 
from coherently exchanging J z — h with the spin. But 
this explanation does not fully address how the existence 
of the classical magnet is itself compatible with the su- 
perselection rule. 

Such issues were cogently discussed many years ago by 
Aharonov and Susskind . They emphasized that even 
if the total angular momentum has a definite value (like 
zero), we can still speak sensibly of the relative orien- 
tation of two subsystems. Whenever an experimentalist 
observes the precession of a spin, it is implicit that a 
reference state has been established that in effect breaks 
the rotational symmetry, and that the precession is mea- 
sured relative to this reference standard. Furthermore, 
Aharonov and Susskind [3 | emphasized that just as con- 
servation of angular momentum need not prevent us from 
measuring the relative angular orientation of two objects, 
so the charge superselection rule need not prevent us from 
measuring relative phases in superpositions of states of 
different charge. 



A. Abelian case 

Before we discuss the more general case in which the 
symmetry may be nonabelian, it will be useful to con- 
sider the symmetry group G = U{1). Then the charge 
operator Q (the generator of G) has eigenvalues q € Z, 
and we denote the corresponding orthonormal eigenstates 
by \q). Formal states of definite phase (with continuum 
normalization) can be constructed as 

oo 

\ 6 ) = -*r £ (0<0<2ir), (1) 
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where 

<^ = ^ E = 6(6' - 0) , (2) 

q— — OG 

and 

|?> = -L dee^\6) . (3) 

V ^7T Jo 

The phase state |0) is the improper eigenstate with eigen- 
value e %B of the unitary operator 

oo 

u + = £ k+m w 

q— — oo 

that increments the value of the charge by one unit. 
While the phase 9 is physically unobservable due to the 
charge superselection rule, the relative phase of 6' — 6 of 
the two states \9') and \9) commutes with the charge op- 
erator Q and so is measurable in principle. Indeed, the 
state 

/ dO" \6' + 9") ®\6 + 9") 
Jo 

oo 

= E e-^-^\-q)®\ q ) (5) 

q— — oo 

has a definite value of the relative phase 9' — 9 and total 
charge zero. That is, it is an (unnormalizable) eigenstate 
with eigenvalue e l{ - 6 ~ s ) of the charge-conserving operator 
U-®U+, where U- = U\. 

Similarly, the phases <p q appearing in the expansion of 
the state \4>)a of a system A, 

\i>)A = Y,^ e ~ iq4 ">\<l)A ( 6 ) 
1 

(where the -0q' s are rea l an d positive), are themselves 
unobservable, but they can be meaningfully compared 
to the phases appearing in the state \6)r of a charge 
reservoir R. For example, by projecting \6)r <8> a onto 
the sector with total charge zero we obtain the state 

\i>)nA = ^= I ' dff \9 + 9') R ® e'^ 8 ' \i/j) A 

V Z7T J 

= Y,Ae- i ^-V\-q) R ®\q) A (7) 

Q 

which has measurable relative phases. A state like \9)r 
of a charge reservoir R that provides a phase standard 
with which other states can be compared will be called a 
"reference state" or a "condensate." 

In the state \iI))ra, the charge of the system A is com- 
pensated ("screened") by the charge of the reservoir R. 
Therefore, the system and reservoir are entangled, and 
tracing out the reservoir destroys the coherence of the 



superposition of charge states for the system. While for- 
mally correct, this statement can be misleading if the 
reservoir remains accessible and is allowed to interact 
with the system during subsequent operations. For ex- 
ample, the operator (U+) A that increases the charge of 
the system by one unit is disallowed by the superselec- 
tion rule, but it can be accurately simulated by the al- 
lowed charge-conserving operator (U-) R <£> {U + ) A acting 
on \iP)ra — this operator increases the charge of A by 
borrowing a unit of charge from R. If the reservoir re- 
mains accessible at all times, then an arbitrary (not nec- 
essarily charge conserving) operation acting on A can be 
perfectly simulated by a charge-conserving operation act- 
ing on RA. Thus, at least as a matter of principle, the 
charge superselection rule places no inescapable restric- 
tions on the allowed operations. This is the main point 
stressed by Aharonov and Susskind [T^|. 

The phase reference state can be interpreted physically 
as a static piece of superconducting material with a defi- 
nite value of the superconducting phase. While the phase 
itself is not gauge- invariant, the relative phase of the sys- 
tem and reservoir has observable consequences (like the 
Josephson effect) when the two are br oug ht into contact. 
Similar issues, discussed in 0, USEE 113 > arise when 
considering the physical content of relative phases in op- 
tical systems. 

B. Nonabelian case 

Our discussion of the abelian case has suggested that 
superselection rules are nullified if suitable reference sys- 
tems are available. Now we consider the more general 
case, where the symmetry group is G, which may be 
either a finite group or a compact Lie group. The su- 
perselection rule dictates that allowed local operations 
must commute with G. But we may anticipate that if 
a condensate is accessible that completely breaks the G 
symmetry, then in effect there is no operative symmetry 
at all, and the superselection rules place no restrictions 
on the allowed operations. 

Formally, if the symmetry is completely broken, then 
the possible orientations of the condensate are in one-to- 
one correspondence with the elements of the symmetry 
group G. In a particular "fixed gauge," the states of 
the condensate are denoted \4>) where <j) € G, and these 
states transform as the left regular representation of G. 
That is, a symmetry transformation g € G acting on the 
condensate is represented by the unitary U (g) where 

U(g)\<j>) - \g4>) . (8) 

These states can be expanded in the basis of irreducible 
representations of G as 

w = E\/^»' ! - a )' ( 9 ) 

where n q denotes the dimension of the irreducible repre- 
sentation D q (<j)) and uq is the order of G. Inverting the 
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Fourier transform we obtain 



\q,t,a) 



E 



q Df a m) 

n G 



(10) 



Note that in eq. I|9I10|I we have used notation appropriate 
for a finite group; in the case of a compact Lie group, the 
sum over 4> G G would be replaced by an integral with 
respect to an invariant measure on the group. The states 
\q,i,a) transform under G as 



U(g)\q,i,a)=J2\QJ^)D q ji (9) 



(11) 



In keeping with standard physics terminology, we will 
refer to the index % = 1, 2, . . . , n q in \q, i, a) as the "color 
index," and to the action eq. (|11[) of U(g) on this index 
as a "gauge transformation." The index a = 1, 2, . . . , n q , 
distinguishing the n q copies of the representation D q 
that occur in the decomposition of the regular represen- 
tation, will be called the "flavor" index. The physical 
"G-invariant" operations are those that commute with 
all gauge transformations — these preserve q and act 
nontrivially only on the flavor, not the color. Therefore, 
by including the color we have chosen a redundant de- 
scription of the physical Hilbert space. This redundancy, 
while not absolutely necessary, is quite convenient, and 
in particular will be useful for our discussion in Sec. 11111 
of the security of quantum protocols. 

In addition to the G gauge symmetry, there is also a 
group G of "global" transformations that commute with 
U(g), under which the states \<f>) transform as the right 
regular representation of G; the element h of the global 
group is represented by V(h) where 



v{h)\<t>) = \<t>hr 



and 



V(h)\q, 



E 

b 



q,i 



(12) 



(13) 



Thus the global transformations act on the flavor index 
a of the states in the {\q,i,a}} basis — unlike the gauge 
transformations, they act nontrivially on the physical 
states. 

In more geometric terms, a condensate may be inter- 
preted as an asymmetric classical rigid body that can be 
rotated either "actively" or "passively." What we have 
called the color (gauge) rotation is a passive rotation that 
acts on the space-fixed axes — it does not change the ac- 
tual orientation of the body but only changes our mathe- 
matical description of the orientation. In contrast, what 
we have called the flavor (global) rotation is an active 
rotation that acts on the body-fixed axes and alters the 
physical orientation. A flavor rotation is G-invariant in 
the sense that it commutes with color rotations, and so is 
a physical operation, allowed by the superselection rule. 

In contrast to the flavor orientation, the color orienta- 
tion of an isolated system A has no invariant meaning, as 



it is modified by a color rotation. However, the orienta- 
tion of A relative to the condensate R does have meaning, 
and an operator that rotates the relative orientation ad- 
mits an invariant description. Suppose, for example, that 
system A is itself a condensate in the state 4> A , while the 
state of R is 4>r. The relative orientation 



W = <i>R<l>A 



is invariant if a common color rotation 

U(h) RA : 4>a — * h(j) A , 4>r — ► h<f) R 



(14) 



(15) 



is applied to both objects. The transformation U(g) l R 1 A 
that changes the relative orientation according to 



U(g)T A : <t> RA - g<t> 



RA i 



(16) 



has an invariant meaning and commutes with the color 
rotation U{K)r A . We may interpret the invariant rota- 
tion as one that rotates A while R is "held fixed," acting 
as 

U(g)T A (\4> R ) ® \M) = I'M ® ItRg&M , (17) 

or equivalcntly 



u( 9 )Ta - E (WW)* ® uifar'u ■ (is) 

4><£G 



If system A is not a reference system but rather an 
object transforming as the irreducible representation q 
of G, then Ufygcf) -1 ) can be expanded as 



U(g) 



inv 
RA 



E 



£ Iq^DU^Dl^Dl^-'Mjl] -(19) 



More generally, any transformation 

M A : \q,i) A ^^\q,j) A M. 



(20) 



acting on the color degree of freedom can be simulated 
by the invariant operation 



J2 \q^)Dl( ( j ) )Ma b D q b] (r 1 Mj\) ■ (21) 

M RA has an invariant meaning because it transforms the 
color of A relative to the color of the reference system R; 
in effect, the color rotation is simulated by converting the 
color index into a flavor index (depending on </>), on which 
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M may act with impunity. For fixed 0, the simulation is 
achieved via the isomorphism 

\q,a) A ^\q,<t>,a) RA =\<t>)R®Y,\q,j)AD' l ja {<l>) , (22) 

3 

such that 

M™ \q, 0, a) RA = \Q, & b) RA M ba . (23) 

b 

Furthermore, this isomorphism can be extended to oper- 
ators M that change the value of q as well as rotating 
the color for fixed q; the operator 

M A :\q,i) A ^^2W,j) A M< 9 , (24) 

is simulated by 

M™ \q, 0, a) RA = ]T I?'. ^ b) RA Mi q , (25) 

g',b 

which generalizes the result 
M'Ta (\0)r ® e-^ e \ q ) A ) = \6) R <g> ]T e-^' e \q')M^ 

(26) 

that we found in the case of G = £7(1). 



C. Properties of the simulation 

We will refer to the world in which all operations are 
required to commute with the action of the symmetry 
group G as the "invariant world" or "/-world," and we 
refer to the world in which arbitrary operations are al- 
lowed as the "unrestricted world" or "{/-world." What 
we have observed in eq. (|22I25|) is that the physics of the 
{/-world can be faithfully reproduced in the /-world, as 
long as a suitable reference system is at our disposal. 

Let us restate the main conclusion in a more succinct 
notation: Suppose A is an arbitrary system that trans- 
forms as some representation of the group G, and let R 
be a "reference system" that transforms as the left reg- 
ular representation of G. Let M be an arbitrary trans- 
formation acting on A. Then there is a corresponding 
transformation M mv acting on R and A defined as 

M im = J2 (|M0|) fl <8> (tfMMtffo)- 1 )^ . (27) 

M mv is an invariant operator whose action on RA simu- 
lates the action of M on A. 

That is, the operators M mv have the following easily 
verified properties: 

1. M lnv is G -invariant. 



Proof: From the transformation properties of R 
and A we have 

(U{g)®U{g))M™(U{g)- 1 ®U{g)- 1 ) 
= ]T (|#)(#|) ® {UigcfyMUigcf)- 1 ) 

<j>EG 

= A/ inv , (28) 

where in the last step we have reparametrized the 
sum by replacing — > g^ 1 ^. 

2. Invariant operators on RA provide a representation 
of operators on A. 

Proof: We have 

M i„v M inv = £ (l^)^ I^X&Q 

®({/(0 1 )A/ 1 {/(0r 1 )f/(0 2 )Af2C/(02" 1 )) 
= E ® {U(cf>)M 1 M 2 U(cl>)- 1 ) 

= (M 1 M 2 ) ilW • (29) 

3. If M is G -invariant, then M inv =I R ® M A . 
Proof: If U(4>) commutes with M for each 0, then 

M inv = (|0) (0|) $ AT) = 7 ® Af . (30) 

</>eG 

4. // p is invariant and tr(p R ) — 1, then 

tr M inv (p R ® p) = tr Mp . (31) 
Proof: If {/(</>) commutes with p for each 0, then 
tr M inv (p R ®p) 

= ^(0M0) tr(M U^pU '(0)) 

06G 

= tr(p fl ) • tr (Mp) = tr (Mp) . (32) 

The properties 1 and 4 mean that as long as the state 
p of A is G- invariant, then by making use of a reference 
system, measurements in the [/-world can be faithfully 
simulated by measurements in the /-world. That is, given 
an arbitrary measurement performed on A (with opera- 
tion elements that are not necessarily G-invariant), there 
is an invariant measurement performed on RA (with G- 
invariant operation elements) that has the same proba- 
bility distribution of outcomes. Furthermore, it follows 
from property 2 that the physics of the {/-world can be 
faithfully reproduced in the /-world even if the measure- 
ment is preceded by a series of unitary transformations 
- applying V lnv in the /-world has the same effect as 
applying V in the (/-world. Property 3 tells us that, as 
expected, the reference system R is superfluous if the U - 
world transformation acting on A is already G-invariant. 
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To derive these properties, we require that the refer- 
ence system transform as the regular representation of 
G, but no condition is needed on the state pu of the ref- 
erence system. Loosely speaking, the reference system is 
needed so that when a noninvariant operation acts on A, 
the change in the charge of A can be balanced by a com- 
pensating change in the charge of R. But if the state p of 
A is invariant, then only the charge-conserving part of M 
contributes to the expectation value tr(Mp) anyway. In 
the simulation of this charge-conserving part of M, the 
reference system is superfluous and its state irrelevant. 

Note that if G is a Lie group rather than a finite group, 
then the regular representation is infinite dimensional, 
and our formal arguments require R to be an infinite- 
dimensional system. How is the fidelity of the simulation 
affected if R is truncated to a finite-dimensional system? 
In fact, the fidelity will still be perfect if the charge re- 
mains bounded in the process to be simulated. Consider, 
for example, the case G = U(l), for which eq. 1)27(1 be- 
comes, e.g., 

{\q-r){q\) inv =J2(W + rW\) R ®{\q-r){q\) A -, (33) 

in the /-world, a process in which r units of charge are 
removed from A is simulated by adding the r units to R. 
Suppose we are assured that the total charge added to or 
removed from A will never exceed r units. Then we may 
choose the initial state of R to carry charge zero, and 
we can limit R to the 2r + 1 dimensional space spanned 
by the states \qn}, qn = —r, — r + 1, . . . r — 1, r. This 
truncated reference system suffices because states with 
\qn\ > r will never be accessed in the simulation anyway. 
A similar remark applies if G is an arbitrary compact Lie 
group. 

III. REFERENCE SYSTEMS AND QUANTUM 
PROTOCOLS 

We have concluded that in the presence of a suit- 
able reference system, superselection rules place no in- 
escapable restrictions on the allowed operations. We may 
anticipate, therefore, that a cryptographic protocol is se- 
cure in the invariant "/-world" (governed by the supers- 
election rule) if and only if it is secure in the unrestricted 
"[/-world." If we faithfully adhere to the usual stringent 
principles of quantum cryptology and place no restric- 
tions on the resources available to our adversaries, then 
we must admit the possibility that the dishonest parties 
could share access to a reference system during the execu- 
tion of the protocol. For the case of superselection rules 
arising from compact symmetry groups, this observation 
suffices to answer Popescu's question about the impact of 
superselection rules on the security of quantum protocols. 

Let us now discuss this point in greater detail. To be 
explicit, consider at first a protocol involving two parties, 
Alice and Bob. Alice holds a private local system A that 
is beyond Bob's control, and Bob holds a private local 
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FIG. 1: A two-player quantum game. Alice and Bob have 
private systems, and a message system that they pass back 
and forth. At the end of the game, Alice and Bob measure 
their private systems. 



system B that is beyond Alice's control. In addition, 
there is a message system M that they can pass back 
and forth. At the beginning of the protocol, they share a 
product state pa®Pb®Pm- In each round of the protocol, 
one of the parties performs a joint quantum operation on 
her/his local system and the message, and then sends 
the message system to the other party. Finally, after 
all quantum communication is completed, both parties 
perform local measurements. (See Fig. Q]) 

For example, the goal of the protocol might be to flip 
an unbiased coin. In that case, the final measurement 
performed by each party has two possible outcomes, or 
1. If both parties follow the protocol, then both obtain 
the same outcome. Furthermore, the two outcomes are 
equiprobable. A coin flipping protocol is secure if neither 
party, by departing from the protocol, can bias signifi- 
cantly the outcome of the other party's measurement. 

We say that a strong coin flipping protocol has bias e 
if neither party by cheating can force either outcome to 
occur with probability greater than ^ + £• In a weak coin 
flipping protocol, Alice wins if the outcome is and Bob 
wins if the outcome is 1, and we say that the bias is e if 
neither can force a win with probability greater than ^+e. 
(Thus, in a weak protocol with bias e, a cheater might 
be able to lose on purpose with a probability exceeding 
\ + e). Note that the protocol might abort if cheating 
is detected; by "the probability of outcome 0" we mean 
the joint probability that the protocol does not abort and 
the outcome is 0. Kitaev [Wi \T\\ has shown that, if no 
superselection rules are imposed, then strong quantum 
coin flipping is impossible with bias e < — | = .207. 
Ambainis l28j has shown that a weak coin flipping pro- 
tocol with bias e requires at least fi(loglogi) rounds of 
communication. 

We are interested in whether these conclusions about 
coin flipping in the [/-world remain valid in the /-world. 
For a coin flipping protocol in the /-world, we may as- 
sume that the initial state shared by Alice and Bob is a 
tensor product of invariant states pa®Pb® Pm ■ In the 
honest protocol, Alice and Bob take turns applying G- 
invariant operations to the system that they share, then 
measure invariant observables. In fact, without loss of 
generality, we may assume that each operation applied 
by Alice or Bob is an invariant unitary transformation, 
and that the final measurement is an invariant projective 
measurement. 
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If Alice and Bob play the game honestly, then the prob- 
ability P B (b) that Bob's measurement yields the partic- 
ular outcome b can be expressed as 

P B (b) = tr(E Btb V( PA <X> pb ® Pm)V^ , (34) 

where 

V = V Bn V An ... V B2 V A2 V Bl V Al . (35) 

Here the V A are unitary transformations applied to AM 
(we have assumed that Alice makes the first move in the 
game), the V B . are unitary transformations applied to 
BM, and the E B ^ are the projectors defining Bob's fi- 
nal measurement. Furthermore, in the /-world protocol, 
V Aj , V Bj , and E B ^ are G-invariant. In effect, then, Bob 
measures the invariant operator 

F B , b = V^E Bib V (36) 

in the invariant state pa <8> p B <8> Pm- 

Of course, a protocol in the /-world can be regarded 
as a special case of a protocol in the [/-world, where 
the initial state is a product state, and Kitaev's result 
applies to this [/-world protocol. Therefore, one of the 
parties (Alice, say) can force one of the outcomes (0, say) 
with probability at least A=. However, Alice's cheating 
strategy that achieves this result might employ opera- 
tions that are not G-invariant. To show that Kitaev's 
result also applies to the original /-world protocol, we 
must show that Alice's cheating strategy in the [/-world 
can be faithfully simulated in the /-world by making use 
of a suitable reference system. For this purpose, we apply 
the properties of the invariant operator M mv that were 
discussed in Sec. Ill CI 

When Alice cheats in the [/-world, she replaces the 
operator V Aj called for in the honest protocol with an 
arbitrary operator V A . applied to AM, where V' A . is not 
necessarily G-invariant. Then Bob's measurement yields 
the outcome b with probability 

P' B (b) = tr (F' Bfi (p A ® PB ® pm)) , (37) 

where 

F' Bib = V«E B ,hV' (38) 

and 

V = V Bn V' An ... V B2 V' A2 V Bl V' m . (39) 

This cheating strategy in the [/-world can be simu- 
lated in the /-world if Alice has a reference system R — 
instead of applying the noninvariant operator V A . to the 
system AM, she applies the invariant operator V A nv to 
RAM. Note that since Bob follows the honest protocol, 
which requires V Bj to be G-invariant, applying V Bj to 
BM is equivalent to applying V B ™ to RBM, by property 



3 in Sec. Ill CI Therefore, when Alice adopts the /-world 
strategy, Bob obtains outcome b with probability 

P' B (b) = ti( F Bb (p R ® PA ®p B ® pm)) (40) 

where 

F' Bib = V'tE B>b V' (41) 

and 

V — V B n V A n ■■■ V B 2 V A 2 V Bi V Ai ■ 

But since the invariant operators provide a representa- 
tion (property 2), we may write V — V nnv , and since 
E B ,b — E B v b as weu i we have 

= F'^b ■ (43) 

Finally, the initial state pa <X> Pb <8 Pm shared by Alice 
and Bob is G-invariant; therefore, by property 4, 

P' B (b) = P' B (b); (44) 

the measurement outcome b in the /-world protocol oc- 
curs with the same probability as the outcome b in the 
[/-world protocol. 

Therefore, Alice's simulated cheating strategy in the 
/-world perfectly reproduces the probability distribution 
for Bob's measurement outcome that is achieved by her 
cheating strategy in the [/-world. The same is true if 
Bob makes the first move in the game instead of Alice. 
Similarly, if Bob is the cheater, Bob has a strategy in the 
/-world that simulates his [/-world cheating strategy. We 
conclude that if Alice (or Bob) can cheat in the [/-world, 
then she (he) can cheat just as successfully in the /-world. 
Thus, Kitaev's proof of the impossibility of strong coin 
flipping with bias e < — i, originally formulated in 

the /7-world, also applies to the /-world. Similarly, Am- 
bainis's lower bound on the number of rounds of commu- 
nication needed for weak coin flipping also applies to the 
/-world. 

This conclusion that cheating in the [/-world can be 
successfully simulated in the /-world applies not just to 
coin flipping protocols, but to any two-party protocol in 
which the goal of a cheating Alice is to bias the outcome 
of a measurement performed by an honest Bob. Further- 
more, it is straightforward to generalize the argument 
to an n-party protocol, in which k cheating parties wish 
to bias the outcomes of measurements performed by the 
n — k honest parties. For such a protocol in the /-world, 
where the initial state is a product of invariant states, any 
cheating strategy that can be executed in the [/-world 
can be simulated perfectly in the /-world if the k cheat- 
ing parties share access to a reference system. Therefore, 
the protocol can be no more secure in the /-world than 
in the [/-world. 

To summarize: Let us refer to an n-party quantum 
game as an /-world game if the initial state is a product 
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of invariant states, and if in the honest protocol all oper- 
ations performed by the parties are invariant operations. 
If k < n parties are cheaters, we say that their cheating 
strategy is an /-world cheating strategy if the cheaters 
are required to perform invariant operations, and we say 
that their cheating strategy is a U -world cheating strat- 
egy if the operations performed by the cheaters are unre- 
stricted. Let us say that an /-world cheating strategy is 
equivalent to a [/-world cheating strategy if both strate- 
gies produce the same probability distributions for the 
outcomes of the measurements performed by the n — k 
honest parties. We have proved: 

Theorem 1 Suppose that in the I-world all quantum 
operations are required to be G-invariant, where G is a 
compact Lie group, and that in the U -world quantum op- 
erations are unrestricted. Consider an n-party I-world 
quantum game, and a U-world cheating strategy A' in 
which k < n parties cheat. Then there is an I-world 
cheating strategy A' that is equivalent to A' . 

As we observed in Sec. Ill Cl the reference system required 
by the cheaters in the I world can be finite-dimensional, 
as long as the cheaters in the [/-world apply operations 
that change the "charge" by a bounded amount. 



IV. DISTRIBUTED REFERENCE SYSTEMS 

The key ingredient in our discussion of /-world quan- 
tum protocols is the observation that G-noninvariant op- 
erations can be faithfully simulated through the use of a 
reference system. Suppose, for example, that Alice and 
Bob take turns acting on a system C that they pass back 
and forth. Then Alice and Bob in the /-world can sim- 
ulate an arbitrary [/-world protocol in which the initial 
state of C is G-invariant. They carry out the simulation 
by passing the reference system R back and forth along 
with G, each taking turns applying invariant operations 
to RC. Similarly, in our analysis of cheating in Sec. II I II 
we allowed the k cheaters to pass the reference system R 
among themselves as needed during the execution of the 
protocol. A reference system that travels from place to 
place might be called itinerant. 

Here we will briefly discuss an alternative scenario, in 
which the parties share a distributed reference system — 
each party holds a fixed portion of this system through- 
out the execution of the protocol. This discussion is not 
actually needed for our analysis of security, but it is help- 
ful nonetheless for understanding the physics of supers- 
election rules. Indeed, in many physical situations in 
which reference systems are used (e.g., in optical physics), 
the system is distributed rather than itinerant. 

Let A denote Alice's part of the reference system, B 
denote Bob's part, and suppose that at the start of the 
protocol AB is prepared in the state 



\0)ab = 4= £ I 



(45) 



This state has trivial total charge; indeed, when ex- 
pressed in the Fourier-transformed charge-eigenstate ba- 
sis, it is 



lO)^^ = — == V \q,i, 



a) a <X> \q,i,a) B 



(46) 



Thus, in principle Alice (say) could prepare |Q)ab m ner 
lab and then ship half of it to Bob. (The state \Q)ab is 
unnormalizable and unphysical if G is a Lie group. For 
now we will suppose that G is a finite group, but we will 
comment on the case of a Lie group below.) 

In the state |0)ab, Alice's condensate, and Bob's, have 
values that are distributed uniformly over the group G, 
but these values are locked together. Therefore, if \ip)c is 
any pure state of G, then Mjgj and M l ^ c act on \0)ab <& 
\ip)c i n the same way: 



M™(]V)ab®H)c 



M™(\0)ab®Wc) 



\<i>U ® \4>)b ® ([/(0)A/[/(0)- 1 )|^)c 



bee 



(47) 



Furthermore Af™^ and Mg^, act identically on any state 
of the form 



ABC 



= Y\ \4>U ® \4>)b ® \ip4,)c , 

n G j~t 



(48) 



beG 



where \ip<j>)c might depend on <p, a form that is main- 
tained as successive invariant operations are applied to 
AC and to BC. Therefore, the outcome of the protocol 
would be the same if each invariant operation M^q ap- 
plied to BC were replaced by the corresponding invari- 
ant operation M™c applied to AC. We conclude that 
the simulation in which the distributed reference system 
AB is prepared in the initial state \0}ab is equivalent 
to a simulation that uses an itinerant reference system 
A. Since this latter simulation has all of the properties 
listed in Sec. lTTHl we find that a bipartite /-world proto- 
col using the distributed reference system can faithfully 
simulate an arbitrary [/-world protocol. 

Note that the distributed state can serve the same pur- 
pose if there is a fixed offset of Bob's condensate relative 
to Alice's, as long as the offset is known. That is, if Alice 
and Bob share the state 



\0,4)AB = -£=J2\<l>)At 



q : a : b 



(49) 



then the invariant operations ^bc anc ^ 

([/(^)M[/((^)- 1 )^ act in the same way. If Bob 

knows 0, then, he can participate successfully in the 
simulation by "twisting" his operations appropriately. 
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Similarly, in a protocol with k parties, the distributed 
reference state 

|0)fe p ar tics - -^= ® ■ ■ ■ ® I0>il* (50) 



provides a common "phase standard" for all the partic- 
ipants, allowing them to simulate a [/-world protocol in 
the /-world — the £th party simulates the noninvariant 
operation M by applying M mv to the target system and 
her part Rg of the reference system. Again, the parties 
can twist their local operations to compensate for known 
relative offsets of their condensates, if necessary. 

In the state |0)ab, there is a quantum correlation be- 
tween Alice's condensate and Bob's. A common reference 
standard can be provided instead by a classically corre- 
lated state such as 

^ = rE(I^C®(l^l) fl - ( 51 ) 



n G 



4>€G 



If Alice and Bob are equipped with the state pab, then 
again Mjjg and M^q act in the same way; hence they 
can use this distributed reference state to simulate a U- 
world protocol in the /-world. The state is G-invariant, 
but unlike |0)^b it is not a charge eigenstate; rather it is 
a mixture of (invariant) states with various charges. For 
example, in the case G = U(l), \0)ab is the (unnormal- 
izablc) state 

,-2-k oo 

\0)ab= \0)a®\0)b= V | - q) A ® \q) B ; (52) 

J q=-oo 

Alice's charge and Bob's charge are perfectly anticorre- 
lated. In contrast, pab is 

p AB <x J d9 {\6){0\) A ®{\6){e\) B 

« \lA,q B ){qA- q,QB + q\ ■ (53) 

Formally, this state appears to be separable, as it is a 
mixture of the product states \0) ® \6), but this is de- 
ceptive, because \9) ® \6) is not G-invariant and is there- 
fore incompatible with the superselection rule. On the 
other hand, in the charge-eigenstate basis, pab can be 
expressed as a mixture of G-invariant pure states, each 
with a definite total charge; however, these pure states 
are highly entangled, with an indefinite value of Alice's 
(and Bob's) local charge. The state pab is not a mix- 
ture of invariant product states, and therefore cannot 
be prepared without quantum communication between 
Alice and Bob. Classical communication alone is insuffi- 
cient for Alice and Bob to establish their common phase 
standard. 

Now let's return to the question we postponed earlier: 
what if G is a Lie group, so that the states \0)ab an d 
Pab are unnormalizablc? To be specific, consider again 
the case G = U(l), and suppose that Alice and Bob are 



instructed to perform this protocol: Alice is presented 
with a charge-zero state |0). She is instructed to ro- 
tate this state to the superposition of charge eigenstates 
(|0) + |1)) /y/2 and to send the resulting state to Bob. 
Bob is to perform an orthogonal measurement in the ba- 
sis (|0) ± |1)) /y/2 and so verify that Alice prepared the 
correct state. To make sense of this procedure, Alice and 
Bob must share a common reference state that serves to 
lock together their phase conventions; for example, this 
state could be a shared pure state \4>}ab with definite to- 
tal charge. Alice's coherent operation on system G acts 
as 

W)ab® |0) c -> 

^Mab® \V)c + {U-) a \4>)ab® \l)c) ; (54) 

that is, Alice simulates the charge-nonconserving oper- 
ator {U + )c by applying the invariant operator (£/_)a ® 
{U+)c to AC. When Bob receives system G, he performs 
his measurement by first simulating the transformation 



|0>c^^(|0)c + |l)c) , 
|l) c ^_L(|0) c -|l)c) , (55) 

and then measuring the charge of G. After Bob's first 
step, the state of ABC has become 

^(Ia ® Ib + {U-)a ® (U+) b )\iP}ab <8> \0)c 

+ ^(I A ® (U-) B - (U-)a ® Ib)H)ab ® |l)c (56) 

When Bob measures the charge, the probability that he 
obtains the outcome 1 and fails to verify Alice's state, is 



Pi = ^(l - Re ab {ip\(U— )a ® (U+) b \iI>)ab) ■ (57) 
If, for example, the shared reference state is 

/JV-l 

r i- 



(58) 



a normalizable approximation to the state \0)ab, our ex- 
pression for Pi becomes 



Pi 



1 

2N 



(59) 



Thus, for finite N, the state received by Bob does not 
match perfectly with the state prepared by Alice — the 
superposition of charge eigenstates decoheres slightly. 
But this decoherence becomes negligible in the limit 
iV — > oo, where the "charge fluctuations" of the shared 
condensate are large. 
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The lesson we learn from this example generalizes to 
nonabelian compact Lie groups. We can replace the un- 
normalizable state 

\0) A b = -= Y) \q,i,a) A ® k,i,a) B (60) 

by a normalizable state with a truncated sum over the 
charge q. If Alice and Bob use this truncated distributed 
reference state to simulate a [/-world protocol, their sim- 
ulation will not have perfect fidelity. But as long as all 
operations applied by Alice and Bob change the charge 
by a bounded amount, the fidelity can be arbitrarily close 
to one if the reference state is chosen appropriately. If 
Alice and Bob are permitted to use a truncated itiner- 
ant reference system rather than a distributed one, then 
perfect fidelity can be achieved, as observed in Sec. Ill CI 

V. INVARIANT OPERATIONS AND 
COMMUTANTS 

Our observations in Sec. Ill Bl emphasized the similari- 
ties between abelian and nonabelian superselection rules, 
enabling us to formulate a security analysis in Sec. IIIII 
that applies to both abelian and nonabelian symmetry 
groups. But in several respects the arguments in Sec. IIIII 
are still not adequate. For one thing, so far we have 
treated only the special case of superselection sectors la- 
beled by unitary irreducible representations of compact 
groups. For another, while it is possible to formulate 
a security analysis of quantum bit commitment within 
the framework of our argument in Sec. IIIII it is more 
natural to structure the argument differently, following 
more closely the standard analysis of quantum bit com- 
mitment. 

In this section, we will emphasize the essential dif- 
ferences between superselection rules arising from non- 
abelian symmetry groups and those arising from abelian 
groups. The discussion will pave the way for our analysis 
of quantum bit commitment in Sec. IV11I and of general 
two-party protocols in Sec. IVIIII 

A crucial difference between abelian and nonabelian 
charges is that nonabelian charges are nonadditive: the 
charges of two subsystems A and B do not necessary de- 
termine the charge of the composite system AB. This 
feature can be restated as a property of the algebra of 
observables of the bipartite system. Let A denote the 
algebra of local operators (an associative algebra, closed 
under Hermitian conjugation, that commutes with all lo- 
cally conserved charges) acting on subsystem A, and let 
B denote the algebra of local operators acting on B. The 
commutant of A, denoted A', is the algebra of operators 
acting on the composite system AB that commute with 
everything in A, and similarly for B' . Now, if all super- 
selection rules are abelian, then A! = B and B' = A. 
But if the superselection rules are nonabelian, the theory 
has sectors with nontrivial total charge in which this re- 
lation does not hold. This unusual structure of the local 



observables has potential implications for the security of 
quantum protocols. 

To be more explicit, suppose that the superselection 
rules arise from a nonabelian symmetry group G, and the 
operations that Alice (or Bob) can perform must com- 
mute with G. A state \tp) in Alice's (or Bob's) Hilbert 
space can be decomposed into irreducible representations 
of G, as 

w = E0.^)i ( 61 ) 

q,i,a 

here q labels the irreducible representation (or "charge" ) , 
i is the "color" index acted upon by the representation of 
G, and a is the "flavor" index that distinguishes among 
the various copies of the irreducible representation q ap- 
pearing in the decomposition. Note that since we are 
no longer assuming that Alice's system transforms as the 
regular representation of G, there need be no connection 
between the number of flavors and the number of colors 
associated with q. The action of a color gauge rotation 
representing g € G on \tp) is 

U(9)\i>)= J2 CJ9,J,a>^(5) ■ (62) 

An operator M allowed by the superselection rule, which 
must commute with each D q (g), preserves the charge q 
and acts only on the flavor index according to 

M\i>)= ]T 4>l a \q^b)Ml . (63) 

Since allowed operations act nontrivially only on the fla- 
vor index, it is convenient to use a notation that sup- 
presses the color index i. We denote by Ji q the invariant 
Hilbert space in the charge-g sector, spanned by states 
\q 1 a) that are labeled only by the flavor a within the sec- 
tor. The corresponding operator algebra respecting the 
superselection rule is C(Ti q ), spanned by linear operators 
acting on this invariant space. Thus Alice's invariant 
Hilbert space is 

U A = © Wa, 9 (64) 
i 

and Alice's local operator algebra is 

-A = © £(H A , q ) ; (65) 

Q 

Similarly, Bob's operator algebra is 

B = C{H B , q ) ■ (66) 
</ 

Now consider the composite system AB. Its invariant 
Hilbert space too can be expressed as a direct sum over 
charge sectors 

H = ($H q , (67) 
g 
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while the full operator algebra is (B q C(TC q ). But we 
should consider how 7i q is related to the invariant Hilbcrt 
spaces of the subsystems. The charge-q Hilbert space of 
the joint system can be expressed as 

n ? = n A, qA ® U B , qB ® V q qAAB , (68) 

9A,<JB 

where V q qA ' qB denotes the space of invariant linear maps 
from the irreducible representation q to the tensor prod- 
uct of irreducible representations qA <8 9s- This space 
can be nontrivial (of dimension greater than one) if the 
tensor product contains the representation q more than 
once. 

When expressed in terms of a particular color basis for 
the irreducible representations q, qA and qs, the com- 
ponents of V q qA,qB are the Clebsch- Gordon coefficients 
(3j symbols), of the group G. Let {\qA,i}} denote an 
orthonormal basis for the representation qA, {|<Zs, j)} a 
basis for qs, and {\q(a), k)} a basis for q(a), where the 
index a labels the various copies of the representation q 
that may be contained in qA®<lB- Then the components 
oiV qA ' qB are 

IX* A,9fl (<*)]* = ({lA,i\®{qB,j\)\q(a),k) . (69) 

These components comprise a G-invariant tensor with 
the property 

= KU9)D]^g)[V q ^Ha)]lf Dl, k (g) (70) 

i',j',k' 

Invariant operations act not on the color indices of 
[V qA,qB (a)]f , but rather on the index a that distin- 
guishes the flavors of q contained in qA® qB- Further- 
more, the invariant operations can also alter the charges 
qA and qs appearing in eq. (|68(l . while preserving the 
total charge q. 

The notation of eq. (|68l) and its implications may be 
clarified by discussing specific examples. The trivial rep- 
resentation (q = 1) is contained only in the tensor prod- 
uct of qA with its conjugate representation <ja, and it 
occurs only once in this product; Therefore, in the case 
where the total charge is q = 1, eq. reduces to 

Wi = @W a ,<7®Wb, ? -; (71) 

Q 

in this case, the factor V qA,qB is superfluous. Now, the 
joint operator algebra contains operations that cannot 
be executed by Alice and Bob locally — these opera- 
tions change Alice's charge and Bob's while preserving 
the total charge (of course, this can happen even if G is 
abelian). But any operation that commutes with Alice's 
algebra A must preserve Alice's charge q, and act triv- 
ially in each of Alice's charge sectors; such operations 
preserve Bob's charge q as well, and thus are in Bob's 



algebra B. Therefore A and B are commutants of one 
another. 

However, if the total charge is nontrivial, then B need 
not be the commutant of A. To illustrate this phe- 
nomenon, consider the case G = SU(2), where the ir- 
reducible representation is labeled by the spin j. For 
SU(2), Vj A ' jB is always one (or zero) dimensional, and 
eq. reduces to 

n, = H AdA ® H BdB , (72) 

3 A JB 

where it is implicit that each product of representations 
appearing on the right-hand side transforms as spin j. To 
be concrete, suppose that Alice's system has spin 1/2, 
Bob's contains both a spin-0 and a spin-1 component, 
and the total spin is 1/2; then 

Hi/2 =H At i/2® (Hb,q®Hb,i) • (73) 

Note that in this case, contrary to the case in which the 
total charge is trivial, a single value of ja can be com- 
bined with either of two different values of jg to ob- 
tain the same total charge j. Therefore, there are invari- 
ant operations acting on the joint system that preserve 
Alice's charge and the total charge, but change Bob's 
charge. These operations are in the commutant of A but 
not in B; hence A' ^ B. 

We arrive at another way of looking at this property of 
H-i/2 if we imagine that there is a third party Charlie who 
holds a compensating charge, so that the total charge is 
trivial. Now 

^0 =H A ,l/2®('HB,0®nc,l/2®'HBA®HcA/2) ! (74) 

an operation in A' can be performed by Bob and Charlie 
acting together, but not by Bob alone. 

In order that A' B, it is not necessary for one of 
the parties to possess a state with indefinite charge. For 
example, in the case G — SU(3), the tensor product of 
the irreducible octet representation 8 with itself contains 
two copies of 8, one symmetric and one antisymmetric 
under interchange of the factors: 

8 A ® 8b 2 (75) 

Thus, in the decomposition 

H s = H A ,$ (8 Hba (8 ^ 8 8 ' 8 , (76) 

the joint invariant Hilbert space is two-dimensional, while 
Alice and Bob both have one-dimensional Hilbert spaces 
and trivial invariant operator algebras. Then A 1 is the 
full operator algebra, clearly different from £>, and sim- 
ilarly B' is different from A. Again, an alternative de- 
scription of the invariant space is to note that Charlie 
could hold a compensating 8 charge, in which case the 
total charge is trivial and 

n 1 = {HA,%®n B fi®'Hcfi)®V^ s (77) 
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is two-dimensional. 

For the purpose of describing G-invariant operations, it 
is always legitimate to introduce a compensating charge 
without incurring any loss of generality. To see this, first 
note that if £ is a G-invariant quantum operation, then 

£[U(g)pU(g)- 1 ]=U(g)S(p)U(g)- 1 (78) 

for any g € G and any state p. In particular, then, 

s[g{p)]=g[s(j>)], (79) 

where Q is the map 

g(p) = — J2 u (9)pU(.g)- 1 , 



(80) 



gee 



which induces decoherence of a superposition of distinct 
irreducible representations of G: 



g(\q,i,a)(q',j,b\) 

= S "' S ij \J^Y,\<lM(q,l,b\^ 

Eq. O means [26j that the state 



(81) 



(82) 



cannot be distinguished by any G-invariant operation 
from the state 

Now, consider a system A whose charge is screened by 
a system G, so that the state of the joint system has 
trivial total charge: 



I AC 



= E ^ M> a U ® \q,i)c 



(84) 



q,a,i 



Tracing over system G produces the state 



tx c {m^\) AC = e« * ( -Ei^ a ><^ & i I (as) 

But the state eq. Q83JI is just a convex combination of 
states of the form eq. (I85|l . Therefore, if only G-invariant 
operations are to be considered, it is always harmless to 
replace system A by half of a bipartite state that carries 
trivial total charge. 

Up until now, we have explicitly discussed only the case 
of superselection sectors arising from a compact symme- 
try group, but much of the formalism we have outlined 
in this section can be extended to a more general set- 
ting. Whatever the origin of the superselection rule, the 



allowed operations act on a suitable invariant space. Sec- 
tors can still be classified by conserved charges, but in the 
general case, the space V£ A ' 9B is defined more abstractly, 
rather than in terms of group representations. One im- 
portant property that continues to hold in the general 
setting (which will play a central role in our analysis of 
quantum bit commitment in Sec. lVIll and of general two- 



party games in Sec. IVIIIp) is that for each value q of the 
charge, there is a unique conjugate charge q such that the 
fusion of the charges contains the trivial charge sector. 



VI. DATA HIDING 

Verstraete and Cirac 0] described a data-hiding pro- 
tocol whose security is founded on the charge superse- 
lection rule for G = U(l). Suppose that a trusted third 
party Charlie prepares one of the two orthogonal states 



1 



^= (|01) ± |io» 



(86) 



where |0) and |1) denote states of charge and 1 respec- 
tively, and distributes half to Alice and half to Bob. If 
Alice and Bob could each measure the Pauli operator X 
that interchanges |0) and |1), they could distinguish the 
states |+) and |— ) by performing these measurements 
and comparing their outcomes. However, X does not 
commute with the electric charge Q; if Alice and Bob are 
permitted only to perform local charge-conserving oper- 
ations and to communicate classically, then they will be 
powerless to distinguish the two possible states. 

On the other hand, if Alice and Bob share access to a 
common phase reference state, their activities will be un- 
restricted and nothing will prevent them from performing 
the X measurements that unlock the classical bit stored 
in the state prepared by Charlie (aside from the small 
loss of fidelity that arises if the reference state has large 
but finite charge fluctuations, as in eq. H58|) ~). In Bloch 
sphere language, Alice and Bob have no a priori means of 
orienting their measurement axes in the x-y plane, but a 
shared phase standard enables them to lock their axes to- 
gether and compare their measurements. Since the state 
prepared by Charlie is invariant under rotations about 
the z axis, the overall orientation in the x-y plane is ir- 
relevant; only the relative orientation needs to be fixed 
to identify Charlie's state. 

To be more explicit, while X does not commute with 
the charge, 



A AA> 



(87) 



commutes with Q, as does Xgg,. If Alice and Bob share 
a distributed reference state \ip) ab that is an eigenstate 
of (U-) A ® {U + ) B with eigenvalue 1, then 



is an eigenstate of 



j AB 



vmv 



A'B' 



(88) 



(89) 
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with eigenvalue ±1. Therefore, Alice and Bob can un- 
lock the hidden bit by each measuring X mv and com- 
paring their results. The same holds, of course, if the 
shared reference state pab is a mixture of eigenstates of 
(U-) A <gi(U + ) B , each with eigenvalue 1, as in eq. (|55j) . As 
Verstraete and Cirac observed quantum communi- 
cation is needed to establish this shared phase standard. 

In the absence of a shared phase standard, neither Al- 
ice nor Bob can detect the bit encoded in the state |±) 
of eq. I|86[) : however, either Alice or Bob can manipulate 
the bit. Each can measure the charge q, and either can 
apply a phase to the state conditioned on the charge, 
flipping |+) «-> |— ). But the property that B 1 ^ A indi- 
cates that the situation can be more subtle in the non- 
abelian case (with nontrivial total charge). Suppose, for 
example, that G = SU(2) with total charge j = 1/2 
as in eq. I|73|l . Two states with the same value of the 
total charge and of Alice's charge, but different values 
of Bob's charge, are \j — 1/2, ja = 1/2, ]b = 0) and 
|j = 1/2, ja = 1/2, 2b = 1)- Charlie might prepare ei- 
ther of the linear combinations 

\±) = ±(\j=l,3A = l,3B=0) 

± \j = ~, JA = \ JB = 1)) , (90) 

and then distribute the AB system to Alice and Bob. 
Again, neither Alice nor Bob can detect the hidden bit, 
but now there is a notable asymmetry between Alice's 
power and Bob's. Since Bob has a superposition of two 
different charge states, he can tamper with the hidden bit 
by applying a phase controlled by the charge. Alice, on 
the other hand, has a trivial invariant operator algebra, 
and has no control over the shared state. 

We may take this observation a step further. Suppose, 
for example, that G = SU(3) with total charge q = 8 
as in eq. (|76[) . Charlie might prepare either of the linear 
combinations 

l±) = (\q = 8 sym , qA = 8, q B = 8) 

±\q = 8 a „ti, q A = 8, q B = 8)) , (91) 

and then distribute the AB system to Alice and Bob. 
Again, neither Alice nor Bob can detect the hidden bit, 
but furthermore, neither one can tamper with the bit's 
value. 

However, in the nonabelian case as in the abelian case, 
the hidden bit can be opened via local operations and 
classical communication between Alice and Bob if they 
are provided with correlated reference systems that effec- 
tively remove the restrictions imposed by the superselec- 
tion rule. 



VII. QUANTUM BIT COMMITMENT AND 
SUPERSELECTION RULES 

During the commitment stage of quantum bit com- 
mitment, Alice encodes a classical bit by preparing one 
of two distinguishable quantum states with density op- 
erators po or pi, and then she sends half of the state 
to Bob. In the unveiling stage, Alice sends the other 
half of the state to Bob, so that he can verify whether 
the state is po or p\. The protocol is binding if, after 
commitment, Alice is unable to change the value of the 
bit. The protocol is concealing if, after commitment and 
before unveiling, Bob is unable to discern the value of 
the bit. The protocol is secure if it is both binding and 
concealing. 

In the absence of superselection rules, unconditionally 
secure quantum bit commitment is impossible |8, 9]. If we 
imagine that the states po and pi are pure states shared 
by Alice and Bob, then if the protocol is concealing, Bob's 
density operator (obtained by tracing over Alice's sys- 
tem) must be the same in both cases: po,B = Pi,b- But 
then by the HJW Theorem [2^| Alice can apply a unitary 
transformation to her half of the state that transforms po 
to pi, so that the protocol is not binding. 

A. Bit commitment with mixed states 

We reached this conclusion under the assumption that 
Po and pi are pure states, but we can extend the argu- 
ment to the case were the states are mixed by appealing 
to the concept of a purification of a mixed state. We will 
describe this extension in detail, as we will follow very 
similar reasoning in our discussion in Sec. IVII CI of bit 
commitment with nontrivial total charge. 

Suppose that at the start of the bit commitment proto- 
col, Alice and Bob share a product state pa® Pb, where 
the states pa and pb are mixed. An equivalent way to 
describe Alice's initial state is to introduce the ancilla 
system C and a pure state \iP}ac (a purification of pa), 
such that the density operator pA is obtained from \iP)ac 
by tracing over system C: 

p A =ti c (mm) AC . (92) 

Similarly, to describe ps we can introduce the ancilla D 
and a state \<p)bd that purifies ps- Without loss of gen- 
erality, we may assume that in each step of the protocol, 
Alice or Bob applies a unitary transformation, so that 
the state of the full system ABCD remains pure. (A 
general quantum operation performed by Alice, say, can 
be realized as a unitary transformation applied jointly to 
Alice's system and to an appropriate ancilla; therefore, 
the operation is unitary provided that we include this 
ancilla as part of the system.) In particular, after the bit 
is committed, the state of the full system is one of the 
two pure states \^ q )abcd or \4>i)abcd- 

If both parties are honest, the ancillas C and D are 
off limits — Alice can manipulate only A and Bob can 
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manipulate only B — and in that case the mixed state 
protocol and its purification are completely equivalent. 
Furthermore, if one party cheats, whether the other party 
starts out with a mixed state or its purification has no 
impact on the effectiveness of the cheating strategy, be- 
cause the honest party never touches the purifying ancilla 
anyway. 

Now let us see that in any quantum bit commitment 
protocol, one of the players can cheat successfully. First 
suppose that Bob cheats. Though the honest protocol 
calls for Bob to start our with the mixed state ps, a 
cheating Bob can throw this state away, and replace it 
with the purification \ip)bd, where D is now an ancilla 
system that Bob controls. Therefore, if the protocol is 
perfectly concealing (even when Bob cheats), then 

P0: bd = tr A c(\ipo)(^o\) ABCD 

= p hBD = tr ac (\i>i)(^i\) ABCD ; (93) 

Bob is unable to collect any information about the com- 
mitted bit through any joint measurement on BD. 

Similarly, a cheating Alice could throw away her initial 
state and replace it by its purification; then Alice could 
control both A and the ancilla C. Applying the HJW 
theorem as before, we conclude that if po,sr> = Pi.bd, 
then Alice can apply a unitary transformation to AC that 
transforms \iPo}abcd to \4>i)abcd- We conclude that if 
the protocol is concealing, then it is not binding. Uncon- 
ditionally secure quantum bit commitment is impossible, 
even with mixed states. That quantum bit commitment 
is impossible even when mixed strategies are used was 
proved in Q using a slightly different approach. 

B. Trivial total charge 

The argument in Sec. IVII Al shows that for an analy- 
sis of the security of quantum bit commitment, we may 
assume that Alice and Bob share a pure state. But how 
is the security affected if superselection rules constrain 
Alice's and Bob's operations? We will first consider the 
special case in which the total charge that Alice and Bob 
share is trivial. After commitment, then, Alice and Bob 
share one of the two pure states \ipo) or l^i), each with 
trivial total charge. Choosing the Schmidt basis in each 
charge sector, the state |-0o) can be expanded as 

\^o)ab = VP^Yl I?>&)a<8> \q,b) B • (94) 

q b 

where Bob's density operator is 

Po,b = tiA (l^oX^ol) = Po < B >i ( 95 ) 

and 

b 



Bob can measure the probability p q that his charge is q; 
therefore if the protocol is concealing then the distribu- 
tion {p q } must be the same for as for \ipo). Further- 
more, Bob's density operator in the charge-g sector must 
not depend on whether the state is \i/jq) or IV'i); therefore 
IV'i) can be expanded as 

\iPi)ab = Y VPqY l&fyA ® \q,b) B , (97) 

q b 

where {\q, b) A } is another basis for Alice's charge-g sec- 
tor. But now Alice can apply a unitary transformation 
conditioned on the charge that rotates one basis to the 
other: 

U 9 :\q,b)^\q,b) , (98) 

which transforms \ipo) to IV'i)- Therefore, the protocol is 
not binding. 

Obviously, the same argument applies, in the abelian 
case, even if the total charge is nontrivial [l||. The key 
property of the states that is used in the argument is that 
Alice's charge is perfectly correlated with Bob's, so that 
B' = A. 



C. Nontrivial total charge 

The property that B' 7^ A in the nonabelian case (with 
nontrivial total charge) encourages one to hope that a bit 
commitment protocol can be formulated whose security 
is founded on a nonabelian superselection rule. Indeed, 
consider again the case G — SU{2) with total charge 
j = 1/2 as in eq. (|73|l . When Alice has control of the full 
AB system, she can prepare either of the states |±)ab 
shown in eq. I|9l)|l . and then she can send the B sys- 
tem to Bob. Now Bob is unable to distinguish the two 
states, because he cannot measure the relative phase in 
a superposition of two states of different charge. Fur- 
thermore there is no invariant operation Alice can apply 
that changes |+) to |— ) or vice versa. It seems, then, 
that the protocol is both concealing and binding! At 
any rate, quantum bit commitment in a world with non- 
abelian superselection rules seems fundamentally differ- 
ent than quantum bit commitment in a world in which 
all superselection rules are abelian. 

But, as always in a discussion of information-theoretic 
security, we must be sure to consider the most general 
possible cheating strategies. And in fact, we can argue 
that for the security analysis, there is no loss of generality 
if we assume that the charge shared by the parties is 
trivial, the case we have already dealt with in Sec. IVII Bl 
This reduction to the case of trivial total charge follows 
closely our discussion in Sec. IVII Al where we showed 
that it suffices to assume that the parties share a pure 
state. 

Consider a general two-party quantum bit commit- 
ment protocol in which the initial state shared by Alice 
and Bob is a tensor product p A <8> Pb of invariant states. 
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FIG. 2: "Purification" of a two-party game with nontriv- 
ial total charge. At the beginning of the game, the charge 
of C (hidden behind a brick wall) compensates for Alice's 
charge qA, and the charge of D (also hidden) compensates for 
Bob's charge gs. Honest players never touch the compensat- 
ing charges, but a cheating Alice might manipulate C and a 
cheating Bob might manipulate D. 

The state pa can be purified if we introduce an ancilla 
C; furthermore, the pure state of AC can be chosen to 
have trivial total charge. Similar, we can purify ps us- 
ing the ancilla D, in such a way that the pure state of 
BD has trivial total charge. (See Fig. Each oper- 
ation performed by Alice or Bob can be taken to be a 
charge-conserving unitary transformation; therefore, at 
each stage of the protocol, the state of the full system 
ABCD is a pure state with trivial total charge. 

In the honest protocol, the ancillas C and D are inac- 
cessible. But if Bob cheats, he can throw away the initial 
invariant state pa called for in the protocol, and replace 
it by a trivially charged pure state of BD, where D is 
now an ancilla that Bob controls. Therefore, if the bit 
commitment protocol is concealing, then pq^bd — Pi.bd 
- Bob can't learn anything about the committed bit 
from any invariant joint measurement on BD. Since the 
state of the full system ABCD is a pure state with triv- 
ial charge, the argument of Sec. IVII Bl suffices to show 
that Alice can transform \ipo) to \tpi) with an invariant 
local operation applied to AC. Hence, the protocol is not 
binding. We have proved, then, that, even when the pro- 
tocol calls for a nontrivial total charge, if Bob is unable 
to cheat then Alice can cheat — unconditionally secure 
quantum bit commitment is impossible. We have: 

Theorem 2 Consider a quantum bit commitment proto- 
col in the I -world, where at the beginning of the protocol 
Alice and Bob share a product of invariant states. Then 
if the protocol is concealing, it is not binding. 

Our proof, which reduces the case of nontrivial total 
charge to the case of trivial total charge, is really just 
a minor variant of the argument in Sec. IVII Al that re- 
duces the case of a protocol where Alice and Bob share 
a mixed state to the case where they share a pure state. 

In the case of our bit commitment protocol in which 
the total charge of AB is j — 1/2, if Alice is unable to 
access the compensating charge in C, then she can't cheat 
successfully. But if Alice controls the whole AC system, 
then Alice's charge jac = 0, 1 is perfectly correlated with 
Bob's, and she can rotate the relative phase of the jac — 
and jac = 1 components of her state, transforming |+) 

This reduction of a protocol with nontrivial total 



charge to a protocol with trivial total charge can be gen- 
eralized. In the /-world, consider an n-party protocol 
in which up to k < n of the parties might cheat, where 
the initial state is the product of invariant states <8>" = iPi, 
and where all operations performed by the parties are re- 
quired to conserve the local charge. Then we may imag- 
ine that each party is issued a compensating charge at 
the beginning of the protocol, so that each party actu- 
ally starts out with trivial charge. The honest parties 
will never touch their compensating charges, but a cheat- 
ing party cannot be prevented from performing arbitrary 
joint operations on her system and her compensating 
charge. This strategy is realizable because the cheater 
might throw away the invariant state she holds at the 
beginning of the protocol, and replace it by a charge-zero 
state that she controls fully. Furthermore, if an attack 
by the cheaters is successful in the protocol where the 
honest players start out with trivial charge, then it will 
also be successful if the honest players start out with a 
product of charged invariant states; since honest play- 
ers never make use of the compensating charges, their 
presence can have no impact on the effectiveness of the 
attack. Therefore, we have: 

Theorem 3 Let P be an n-party quantum protocol in the 
I-world that securely realizes a task li, where the initial 
state in P is a product of n invariant states. Then there 
is an I-world protocol P' that also securely realizes H, 
where the initial state in P' is a product of n pure states, 
each with trivial charge. 

In other words, in a security analysis, we may assume 
without any loss of generality that each party holds a 
pure state with trivial charge at the start of the protocol. 

Note that for the proofs of Theorems 2 and 3, our ob- 
servations from Sec. II and III on the use of reference 
systems are not needed. Rather, to prove Theorems 2 
and 3, we use only two properties of the /-world superse- 
lection sectors: first, that for each charge sector Tt q there 
is a unique conjugate charge sector Hq such that the triv- 
ial sector Tii is contained in TL q ® TLq, and second, that 
any invariant state has a purification with trivial total 
charge. These properties hold not just for the case of su- 
perselection rules arising from a symmetry group G, but 
also for the more general superselection rules considered 
in Sec. I Villi Therefore, Theorems 2 and 3 apply in this 
more general setting. 



VIII. TWO-PARTY PROTOCOLS IN GENERAL 

A. Overview 

We will now analyze the impact of superselection rules 
on the security of general two-party protocols. We will 
show that for any protocol P in the invariant world 
(/-world) subject to the superselection rule, there is a 
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corresponding protocol P in the unrestricted world (U- 
world), where P simulates P in the following sense: First, 
when performed honestly, P and P accomplish the same 
task. And second, for any cheating strategy that can 
be adopted by a dishonest party in P, there is a corre- 
sponding cheating strategy in P that is just as effective. 
In particular then, if P is insecure, then so is P. We 
conclude, therefore, that superselection rules cannot en- 
hance the (information-theoretic) security of two-party 
protocols. The methods we will use to establish this re- 
sult are quite different than those used in Sec. lIIII to treat 
the case of superselection rules arising from a symmetry 
group. 

Before going into the details, we will briefly describe 
the main ideas used in our argument. First of all, we 
will restrict out attention to a protocol in which the total 
charge shared by the two parties is trivial (belongs to the 
trivial superselection sector). We know from Theorem 3 
in Sec. lVII Cl that it suffices to treat this special case in an 
analysis of security. A protocol with trivial total charge 
has this useful property: if Alice knows that she holds 
charge q after sending a message to Bob, then Alice also 
knows that Bob will hold the conjugate charge q upon 
receiving the message. Similarly, Bob knows what Alice's 
charge will be after she receives a message sent by Bob. 
Our analysis of security relies on the property that Bob 
has a definite charge if Alice does, and therefore it applies 
only to two-party protocols. 

In the /-world, charge is conserved, so that the total 
charge shared by Alice and Bob is trivial at each stage of 
the protocol; furthermore, local operations performed by 
Alice or Bob must preserve the conserved charge. In the 
[/-world, charge need not be conserved, but the protocol 
P that simulates the /-world protocol P can be chosen to 
respect conservation of a fictitious "charge" that behaves 
like the actual conserved charge of the /-world. How- 
ever, a dishonest party who is not bound to follow the 
protocol P can perform operations that violate "charge" 
conservation. Our task is to ensure that the greater free- 
dom enjoyed by a dishonest party in the {/-world does 
not enhance her ability to cheat successfully. 

For this purpose, our argument relies on the concept of 
the format of a message exchanged between the parties. 
In the [/-world, the format is simply the Hilbert space 
containing the message. In the protocol P, the recipient 
of a message always checks that the format of the message 
is valid, and aborts the protocol if the message is invalid. 
A valid message corresponds to one that could have been 
sent in the /-world, while a message is invalid only if the 
sender violated the local conservation of "charge" before 
sending it. Thus, a message that upon receipt is found to 
be in the proper format could have been sent by a party 
who performed a charge-conserving local operation — in 
effect the sender is unable to play a charge nonconserving 
strategy without being detected. Since effective charge 
conservation is enforced by halting the protocol when a 
charge nonconservation is detected, it will be essential 



for our argument to consider games that can be aborted 
at any stage by either party. A cheating strategy for the 
/-world protocol P and the corresponding cheating strat- 
egy for its {/-world counterpart P will cause the game to 
halt prematurely with the same probability, as well as 
produce the same probability distribution of outcomes in 
the event that the game ends normally, without being 
aborted. 



B. Superselection rules and charges 

Before proceeding to our proof, we should recall the 
properties of superselection rules and charges that will 
be invoked in the argument. These properties have been 
explored already in Sec. E] for the special case of super- 
selection sectors labeled by irreducible unitary represen- 
tations of compact groups. Here we wish to emphasize 
that some of the same ideas can be extended to a more 
general setting, and we will indicate how a two-party pro- 
tocol in which conserved charges are exchanged can be 
simulated using ordinary qubits. 

In general, a superselection rule is a decomposition of 
Hilbert space into a direct sum of sectors such that each 
sector is preserved by the allowed operations. The charge 
q is a label that distinguishes the distinct sectors, and we 
may say that the operations allowed by the superselec- 
tion rule conserve the charge. Thus, the Hilbert space is 
expressed as 

n = n q , (99) 
i 

and the allowed operations belong to the algebra 

C(H q ) , (100) 

where C (H q ) denotes linear operators acting on H q . 

Depending on the particular form of the superselection 
rule, there are specific rules governing how the charge 
behaves when a system splits into two subsystems, or 
when two systems fuse to become a single system. These 
rules can be encoded in vector spaces V^' b defined by 

n c = H a 8> H b ® V c a ' b . (101) 

a . b 

The space V^, a ' is ri-dimensional if there are n distinguish- 
able ways that a charge c object can arise when objects 
with charges a and b fuse. Consistency of eq. (|101fl with 
associativity of the tensor product requires the V*' s to 
obey certain identities, but we will not discuss these fur- 
ther as they will not be needed for our proof. 

There is a trivial-charge sector, denoted Hi, that be- 
haves as the identity under fusion: 

H c ®Hi=H c . (102) 
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Furthermore, there is a unique charge q, the conjugate of 
q, that can fuse with q to yield the identity: 

Wi = n i ® W g • (103) 
g 

Now, in the /-world, consider a bipartite system shared 
by Alice and Bob. The Hilbert space decomposes as 

n = n q , 

^ = n A , qA ®n B , qB ® - ( 104 ) 

<ZA,<?B 

where g is the total charge, is the charge of Alice's sys- 
tem, and q B is the charge of Bob's system. The physical 
operations, allowed by the superselection rule, conserve 
the total charge, and hence belong to the algebra 

O = 0£(W,). (105) 

9 

The operations Alice can perform, which conserve Alice's 
charge and act trivially on Bob's system, belong to 

A = C{H A , qA )®I% A ; q qB , (106) 

q,qA,qs 

where I B A q 9B denotes the identity acting on 7i Bt q B ® 
V qA ' qn . Similarly, the algebra of operations that Bob 
can perform is 

B = !%t ® £(KB, qB ) , (107) 

q,qA,<lB 

where I q Aq B denotes the identity acting on H.A, qA ® 
yqA,qB _ j n contrast, the commutant B' of 23, which con- 
serves the total charge and Bob's charge but need not 
conserve Alice's, is 

B ' = 0£ ©«a, m ® V qA > q * j ®/ B , 9B , (108) 

9,9b \ 9.4 / 

where I BjqB is the identity on H.B, qB , and similarly 

•A' = 0^ a ®£(0Wb,9 B ®^' 9b ) • ( 109 ) 

9,9A \ 9B / 

Thus ^4' = B and $' = A if and only if the charges 
qA and are perfectly correlated (there is a unique q B 
corresponding to each qA and vice versa). This condition 
holds, in particular, if the total charge is trivial, in which 
case our formulas simplify to 

K = = H A ,q ® H B ,q , 

q 

A = B' = Q)£(H A ,q)®lB,q , 
9 

B = A> = !A,q ® £ (H B ,q) ■ (HO) 
9 



C. Simulating charge exchange 

A novelty of a two-party protocol in the /-world is 
that when Alice (for example) sends a message to Bob, 
she may choose to split the charge she possesses into two 
parts — the charge she retains and the charge of the 
message that she sends. If the total charge is trivial, then 
the full Hilbert space comprising Alice's system A, Bob's 
system B, and the message system M can be expressed 
as 

Hi = n A>qA ®H B ,q B ® n M ,q M ® v? A < qB ' qM . 

qA,q B ,qM 

(HI) 

The isomorphisms 

yqA,qB,qM ^ ylA-qhi ^ yqB-.qu (112) 

invite us to interpret eq. (| 1 1 1|) in complementary ways — 
namely, the charge q B of AM is conjugate to the charge 
q B of B, and the charge q~A of BM is conjugate to the 
charge qA of A. Thus, eq. (|111J) describes the splitting 
of Alice's initial charge q B into the charge qA that she 
retains and the charge qM of the message, as well as the 
fusion of the charge qM of the message with Bob's initial 
charge q B to yield Bob's final charge q A - Furthermore, if 
yqA,q B ,qM ^ s Q £ Q|i mens j on greater than one, then a vector 
in y qA ' qB < qM describes the particular manner in which 
Alice performs the splitting, which in turn determines 
the result of Bob's fusion. 

While the information encoded in y qA < qB < q M j s an in- 
trinsic property in the /-world, if we are to simulate the 
process of charge exchange in the [/-world, then this in- 
formation must be carried by ordinary qubits. In such 
a simulation, the Hilbert space of Alice's system, Bob's 
system, and the message is expanded to 

n= n A , qi ® n Bm ® n M , qM ® v? A > qB - 9M , 

9l>92,9A,9-B.9Af 

(H3) 

but where now y qA ' qB > qM jg to be regarded as an ex- 
plicit part of the message. If the conditions q\ — qA and 
92 = q B were imposed, then the "format" of this message 
would coincide perfectly with the information content of 
a message sent in the /-world. But while in the /-world 
these conditions arise from the intrinsic physics of the su- 
perselection rule, in the [/-world they must be imposed 
by hand through proper design of the protocol. 

Thus, in the [/-world protocol P that simulates the 
/-world protocol P, we will require the recipient of a 
message to verify its format — Alice checks that q\ = qA 
and Bob checks that q2 = q B - Of course, at a given stage 
of the protocol P, Alice or Bob might hold a coherent 
superposition of different charges, even though the total 
charge is always guaranteed to be trivial. Therefore the 
verification step in P must be performed coherently; Al- 
ice, for example, checks that q\ and qA match without 
learning the value of q\ or qA- If verification fails, then 
the message recipient has detected cheating by the other 
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party and aborts the protocol. If verification succeeds, 
then the message has been projected onto the valid for- 
mat, and as far as the recipient is concerned, it is just as 
though the message had been sent in the right format to 
begin with. 

Whenever Alice cheats in the [/-world protocol P by 
modifying her charge, she risks detection, and if her 
cheating is undetected, then her operation is equiva- 
lent to a charge-conserving one. Therefore, Alice has an 
equivalent strategy in the /-world protocol P, in which 
she either halts the game herself with some probability 
before sending her message, or if the game does not halt, 
performs an operation allowed by the superselection rule. 
This observation suffices to establish that P simulates 
P, and thus that the superselection rule cannot thwart 
cheating. 

To summarize, for the purpose of characterizing Alice's 
ability to cheat, we are only interested in how Alice's 
activities will affect Bob's measurements. Although in 
the [/-world Alice has the power to violate conservation 
of "charge," she is unable to fool Bob into accepting a 
message that is not isomorphic to one that could have 
been created in the /-world. Therefore, Alice's elevated 
power in the [/-world gives her no advantage. 



D. Definitions 
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FIG. 3: The [/-world protocol P simulates the /-world pro- 
tocol P if the honest protocols realize the same task, and if 
for any cheating strategy in P there is an equivalent cheating 
strategy in P. 

Having explained the main ideas, we will now present 
a more formal proof of our result. To begin, we must de- 
fine the general notions of "protocol" and "simulation" 
in accord with our goals. The definitions are quite natu- 
ral, but there are some technicalities that are necessary 
for the proof to work. 

We consider quantum games between two parties, Al- 
ice and Bob. We assume that Alice sends the first mes- 
sage and the players alternate. The protocol of a game 
specifies the total number of messages, their format, the 
strategies for honest players, and a way to determine the 
game outcome. By "format" in the [/-world we mean the 
Hilbert space TH-m of a given message. In the /-world, we 
specify the space H.M,q M f° r each value of the message 
charge q M - 



To define an honest strategy in the /-world, we spec- 
ify for each value of Alice's charge qA her corresponding 
space TLA,q A ] likewise, we specify Bob's space H.B,q B f° r 
each qB- The game starts with a pure state 

\U)®\tB)eHA,i®H B ,i, (H4) 

where 1 stands for the trivial charge. If one of the players 
(say, Alice) cheats, she may use a different set of private 
spaces H' A qA , but the initial state still must be of the 
form \£ A ) ® |£ B >, where |&> € H' A1 . 

Alice's and Bob's actions in the fcth step are described 
by operators WA k , Ws k - The final outcome is deter- 
mined by a pair of measurements that are performed in- 
dependently on Alice's and Bob's subsystems at the end 
of the game. We are interested in the joint probability 
distribution of the measurement results. However, if one 
of the players cheats, only the honest player's subsystem 
is measured. 

For the reasons explained in Sec. IVIII Al we will as- 
sume that the game can be aborted by either player. 
If the game is aborted, we will not need to keep track 
of who ends the game or when it ends — we will only 
be interested in whether the game ends normally and if 
so what is the outcome. For this purpose the quantum 
state can be characterized by a vector \ip) such that (4>\4>) 
is the probability that the game has not been aborted. 
Operations performed by each player may then be de- 
scribed by contracting maps, i.e., operators W such that 
I^t^j/ < J We assume that the game is never aborted if 
both players are honest, so that the probabilities of dif- 
ferent outcomes add up to 1 in the honest game. If one of 
the players cheats, the total probability of all outcomes 
is generally less than 1. 

Now we define what it means for one protocol to sim- 
ulate another (see Fig.[3J): 

Definition A protocol P simulates the protocol P if the 
following conditions are fulfilled: 

1. The honest strategies in P and P give rise to the 
same probability distribution of the outcomes. 

2. For any cheating strategy A' by Alice compatible 
with the protocol P there exists an equivalent strat- 
egy A' for the protocol P. ( "Equivalent" means that 
Bob's measurement result has the same probability 
distribution in both cases.) 

3. For any cheating strategy B' by Bob compatible with 
the protocol P there is an equivalent strategy B' for 
the protocol P. 

Note that when we say that the two cheating strategies 
arc equivalent we mean in particular that the probabil- 
ity that the game ends normally is the same for both 
strategies. 

To better understand our concept of simulation it is 
very helpful to consider this simple example: Suppose 
that the message space Hm of P is embedded in a larger 
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space Hm of P. Honest players follow the same strate- 
gies in P as in P, so that condition 1 is obviously sat- 
isfied. However, the players in P must be prepared to 
receive messages that do not obey the format of P, i.e., 
do not fit into the subspace %. In P such messages 
are rejected, and the game is aborted. This rule prevents 
a dishonest player from gaining any advantage (relative 
to simply quitting the game) by sending an invalid mes- 
sage. More formally, suppose that Alice cheats using 
some strategy A'. In the corresponding strategy A', Al- 
ice projects her message system Jiu onto the subspace 
%, before sending each message. Thus if the strategy 
A' calls for Alice to apply the operator W' Ak in the fcth 
round, then in the strategy A' Alice applies the contract- 
ing map W Ak = UW Ak , where n is the orthogonal pro- 
jector onto %. The strategies A' and A 1 are equivalent: 
whenever a message sent according to A' causes Bob to 
abort the game, the strategy A' requires Alice to abort 
the game herself. Similarly, given any cheating strategy 
B' for Bob in the game P, there is an equivalent cheating 
strategy B' in P. Thus, conditions 2 and 3 are satisfied, 
and P simulates P. 

Our analysis of superselection rules in Sec. IVIIIEl will 
be based on a closely related method of simulation. 

We also remark that Theorem 1 proved in Sec. IIIII 
can be restated: for a multiparty protocol P in the G- 
invariant world, there is a [/-world protocol P that sim- 
ulates P. In that case, we implicitly adopt a redundant 
description of the physical states appearing in P, admit- 
ting fictitious color degrees of freedom. Then P is exactly 
the same protocol as P, but with the color now reinter- 
preted as a physical variable. Similarly, Theorem 3 in 
Sec. IVII CI can be stated: any n-party Pworld protocol 
in which the initial state is a product of n invariant states 
can be simulated by an /-world protocol in which the ini- 
tial state is a product of n pure states, each with trivial 
charge. 



E. Proof 

Our goal is to prove: 

Theorem 4 Let P be a two-party game in the I-world, 
such that both parties hold trivial charges at the begin- 
ning of the game. Then there is a U -world game P that 
simulates P. 

In the proof we construct the /7-world protocol P that 
simulates the /-world protocol P, and explain how the 
cheating strategy A' that is equivalent to A' is formu- 
lated. We achieve this by applying the procedure for 
simulating charge exchange in the [/-world that was de- 
scribed in Sec. IV 111 01 

Consider the /-world protocol P. If the total charge 
is trivial, then the full Hilbert space including Alice's 



system A, Bob's system B, and the message M is 

n= n A , qA ® n B , qB ® n MtW ® v^ 9B ' qM . 

QA,qB,qM 

(115) 

Without loss of generality we assume that the spaces 
7~i-A,q A , T~iB,q B i T~(-M, qM are the same in each step of 
the protocol. We may also assume that the message is 
present at the beginning and at the end of the game and 
that the initial state has the form \£a) <8> |£b) <8> |0), where 
|0) e H M ,v 

Each time Alice receives one message and sends an- 
other, she applies an operator to AM that preserves 
Bob's charge qs] this is a contracting map belonging to 
the algebra 

c ( n A , qA ® n M , qM ® vr > qB > qM ) . (lie) 

9b \qA,qu / 

Alice's honest strategy consists of a sequence of such op- 
erators — in the A:th step she applies an operator W Ak . 
Similarly, Bob's honest strategy is defined by operators 
It/;.- 

Now consider the [/-world protocol P that simulates 
P. The Hilbert space of P is 

H = H A ®H B ®H M , (H7) 

where 

Ha = 0Wa, 9 i , Hb = 0^5,92 > 

91 92 

(118) 

n M = H M>qu ®v? A ' qB > q ** . 

qA-qB,qM 

Thus the space H of the protocol P can be embedded in 
H by requiring qi — q A and qi = qs- In P, these con- 
straints are enforced by checks performed by both parties. 
A dishonest player's attempt to break the constraints will 
be detected immediately by the other party, in which case 
the game will halt. 

Let us describe Alice's honest strategy in P. When 
Alice receives a message, she gains control of the space 
Ha <g> %. First she verifies that q\ = q A (without de- 
termining the value of q\ or q A ); if verification fails, she 
aborts the game. Thus Alice effectively projects her in- 
put state onto the subspace 

Ham = H A , qA ®H M , qM ®V q *' qB > qM C U A ®H M ■ 

9a.9b.9m 

(119) 

Then she applies the operator W Ak (from the protocol 
P), which acts on H A m and preserves qs- Thus Alice's 
strategy is defined by the contracting maps 

W Ak =FW Ak F\ (120) 

where F denotes the embedding Ham — * Ha <£> %■ 
Bob's honest strategy is defined similarly. 
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If both players play the game P honestly, then the 
verification always succeeds and the conditions qi = q A 
and q2 = qs are maintained throughout the game. Thus 
the honest strategies for P and P are clearly equivalent. 
Note that in P some information is encoded redundantly 
— for example Alice can access the value of qA by exam- 
ining either the charge label of H-A,q A or one of the slots 
of the tensor V 9A ' 9n ' 9M ; similarly qM is encoded both in 
HM,q M and in V 9A ' 9B ' 9M , However, this redundancy has 
no deleterious effect on the fidelity of the simulation. 

Now suppose that Alice cheats in the game P. Then 
she may use an arbitrary Hilbert space TL' A and operators 
W' A acting on 

T~{-AM = H-A ® 

= H'a ® ( Hm,, m ® vr' qB ' qM ) • (121) 
qA,qB,qM 

In particular, when Alice cheats her action on the mes- 
sage need not respect the condition qs = 92 • To prove the 
theorem, we are to define an equivalent cheating strategy 
for the game P. 

When Alice cheats in P, she uses an arbitrary Hilbert 
space H A qA for each value of her charge q A , and she 
applies operators W' A that conserve Bob's charge qs to 
the space 

n' AM = H' A , qA ®H M , qM ®vr' 9B > 9M ■ (122) 

qA.qB.qM 

The spaces H.' AM and Ti.' AM seem to be distinct — in 
H' AM the charge label carried by H' A qA matches the label 

in one of the slots of V qA ' qB ' qM , while in Tt' AM there is no 
such correlation. However, in the [/-world the variable 
q A would be encoded redundantly if it appeared in both 
^■A,q A an d V 9A ' 9B,9M , and it is not necessary to adopt 
this redundant encoding in order to emulate the physics 
of the /-world. Instead, let us specify H' A QA = H' A for 

each q A — then H' AM and T~t' AM are of the same form, but 
where it is understood in eq. I|121|l that the information 
about the charge qA is carried only by v 9A ' 9B ' 9M . With 
this choice Alice's operator W' Ak in P and her operator 
W' A in P act on isomorphic spaces; however W' A must 

conserve Bob's charge qs, while W Ak need not conserve 
charge. 

Therefore, wc define the corresponding cheating strat- 
egy in P by specifying 

w A h =E n «B^n 9B , (123) 

where Ii qB is the projector onto the subspace with the 
given value of That is, Ii qB projects "Hu onto the 
space in which v 9A ' 9B ' 9M has the value qs in the ap- 
propriate slot. The contracting map W' A preserves qs 
and therefore is admissible in the protocol P. Applying 



this W A causes Alice to abort the game P in the case 

where qs would change in the game P. But in that case 
the new value of qs would not match Bob's variable q2', 
therefore Bob would reject Alice's message and abort the 
game P. Hence the two games P and P are aborted 
with the same probability; furthermore, the final state 
that Bob measures in P, if P does not abort, is identical 
to the final state that Bob measures in P, if P does not 
abort. Therefore, when Alice cheats, Bob's measurement 
outcome has the same probability distribution in P as in 
P. The same is true^for Alice's measurement when Bob 
cheats. Therefore, P simulates P, which completes the 
proof of Theorem 4. 



IX. CONCLUSIONS 

Recent progress in the theory of quantum computation 
and quantum cryptography highlights the importance of 
adopting a computational model compatible with fun- 
damental physics — tasks that would be impossible in 
a classical world may be physically realizable because 
Nature is quantum mechanical. Further refinements of 
the model could lead to further insights regarding what 
information-processing tasks are achievable. Therefore, 
as Popescu |l2j emphasized, the impact of superselection 
rules on the security of quantum protocols is of consider- 
able potential interest. However, our disappointing con- 
clusion is that superselection rules cannot foil a cheater 
who has unlimited quantum-computational power. 

Contemplating this issue has led us to consider how 
physics in the invariant world can simulate physics in 
the unrestricted world, and vice versa. We feel that the 
simulation schemes we have devised offer fruitful insights 
into the physical meaning of superselection rules. 

Our results do not address whether the security of pro- 
tocols with more than two parties can be enhanced by 
superselection rules that do not arise from compact sym- 
metry groups. New issues arise in this setting, because of 
the nontrivial braiding properties of nonabelian anyons. 
For example, in the case of three parties (Alice, Bob, and 
Charlie), Alice can split her charge into two parts, and 
send one part on a voyage that circles Bob's lab and then 
returns to Alice's lab. This action can induce a change in 
the charge held by Alice, accompanied by a compensating 
change in the total charge held by Bob and Charlie, even 
though the local charge in Bob's lab, and in Charlie's, is 
unaltered. Though strictly speaking Alice's operation is 
not "local," she can carry it out surreptitiously, without 
any cooperation from Bob and Charlie. Such new possi- 
bilities enhance the potential power of cheaters, but may 
also provide the honest parties with new methods for de- 
tecting cheating. Addressing the security of multiparty 
quantum protocols subject to general superselection rules 
will require different methods than we have used in this 
paper, and might provide further enlightenment concern- 
ing the physics of nonabelian anyons. 
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